How to set up DKIM for Gmail is one of the most important questions for anyone sending business email from a custom domain.
This guide explains the full process, from generating the DKIM key to checking that Gmail signs your messages correctly.
What DKIM Does for Gmail Sending
DKIM, or DomainKeys Identified Mail, adds a cryptographic signature to outgoing email so receiving mail servers can confirm the message was authorized by your domain.
In Gmail, DKIM is especially valuable for organizations using Google Workspace because it helps improve sender reputation, reduce spoofing, and support inbox placement.
When DKIM is enabled, Gmail signs outbound messages using a private key stored by Google and publishes the matching public key in your domain’s DNS.
Receiving servers such as Microsoft 365, Yahoo Mail, and Postfix-based systems can then validate the signature against the DNS record.
Before You Begin
To complete DKIM setup for Gmail, you need access to both Google Workspace Admin Console and your domain’s DNS provider, such as Cloudflare, GoDaddy, Namecheap, or Route 53.
You should also confirm that your domain already has basic email authentication in place, especially SPF and ideally DMARC.
- A Google Workspace account with admin privileges
- A domain you control, such as example.com
- Permission to edit DNS records
- Existing mail flow through Gmail or Google Workspace
How to Set Up DKIM for Gmail
1. Open the Google Workspace Admin Console
Sign in to the Admin Console at admin.google.com with an administrator account.
From the home screen, go to Apps, then Google Workspace, then Gmail, and open Authenticate email.
This section is where Google lets you create the DKIM record for your domain.
If your domain has multiple aliases or subdomains, make sure you are configuring the correct domain name that sends mail.
2. Generate a DKIM record
In the DKIM settings area, choose the domain you want to authenticate and click Generate new record.
Google will ask you to select a key length, typically 2048-bit if your DNS provider supports long TXT records.
Google will then provide two critical values:
- A DNS host name, usually something like google._domainkey
- A TXT value containing the public key
Copy these exactly as shown.
Small formatting mistakes, extra spaces, or truncation in DNS are common reasons DKIM verification fails.
3. Publish the DNS TXT record
Log in to your DNS host and create a new TXT record.
The record name should usually be the selector plus ._domainkey for your domain, such as google._domainkey.example.com.
Paste the TXT value provided by Google into the record content field.
If your DNS provider splits long strings automatically, that is fine as long as the published record matches the full value.
Save the record and wait for DNS propagation, which may take a few minutes or several hours depending on the provider.
4. Return to Gmail and start authentication
Once the TXT record is visible in DNS, go back to the Admin Console and click Start authentication.
Google will check whether the public key is published correctly and, if successful, begin signing outbound email with DKIM.
If the record is not yet visible, wait and try again later.
DNS timing is one of the most common delays during setup.
How to Verify DKIM Is Working
After enabling DKIM, send a test email from your Gmail or Google Workspace account to a mailbox you control, such as another Gmail account or a testing inbox.
Open the message headers and look for a DKIM pass result.
In Gmail, you can use the message menu and choose Show original.
A properly configured message should show something similar to:
- Authentication-Results: dkim=pass
- Signed by: yourdomain.com
- SPF and DMARC results, if configured
You can also use tools such as MXToolbox, Google Admin Toolbox Messageheader, or mail-tester.com to inspect the authentication results.
These tools help identify mismatched selectors, bad TXT formatting, or alignment problems with DMARC.
Common DKIM Setup Problems
Why does Gmail still show DKIM as not authenticated?
The most common cause is that the DNS record has not fully propagated or was entered incorrectly.
Check for typos in the selector name, missing quotation marks copied into the wrong field, and incomplete TXT values that were cut off by your DNS provider.
What if my DNS provider does not support 2048-bit keys?
Some older DNS systems have record length limits that make 2048-bit DKIM difficult to publish.
In that case, use a 1024-bit key if Google Workspace permits it in your environment, or move DNS hosting to a provider with better TXT record support.
Can DKIM fail even if SPF passes?
Yes.
SPF and DKIM are separate authentication methods.
SPF checks whether the sending server is authorized, while DKIM checks whether the message was signed by the domain.
For DMARC to pass, at least one of them must align with the visible From domain.
Best Practices for Gmail DKIM Configuration
Use a 2048-bit key whenever possible because it provides stronger protection than older shorter keys.
Keep your DNS records tidy, and avoid editing the DKIM TXT record after Google has started signing mail unless you are intentionally rotating keys.
For higher reliability, pair DKIM with SPF and DMARC.
This three-part setup helps mailbox providers trust your email and gives you reporting visibility into spoofing or misconfiguration.
If you send through multiple systems, make sure each sender is authenticated correctly and does not break alignment.
- Use one consistent sending domain for branded mail
- Monitor DMARC reports for authentication failures
- Recheck DNS after any domain migration or hosting change
- Rotate keys periodically if your security policy requires it
How DKIM Affects Deliverability
Properly configured DKIM does not guarantee inbox placement, but it is a strong signal to providers like Gmail, Outlook, and Yahoo that your email is legitimate.
Authenticated mail is less likely to be flagged as suspicious, especially when combined with a good sender reputation, low complaint rates, and clean list hygiene.
For transactional email, newsletters, and customer notifications, DKIM is often a baseline requirement.
Without it, even well-written messages can struggle to reach the inbox consistently.
When to Recheck Your DKIM Settings
Review DKIM any time you change DNS hosting, move to a new Google Workspace domain, or notice delivery issues in message headers.
You should also recheck after domain transfers, certificate or security changes, and email platform migrations.
If your organization manages multiple domains or regional sending environments, document the selector name, DNS host, and key rotation dates so future changes are easier to validate.